Social Engineering: How an Email Becomes a Cyber Threat

Social Engineering has been a staple of fraud since the dawn of time. There are even movies that glorify the fraudsters for their elaborate schemes. The Sting and American Hustle are great examples and there are many more. As the world has become more digital fraudsters have learned to leverage technology to massive scales. When you add in social networking hackers now have a fertile environment to sow their mischief.

As data moves online, social engineering techniques, where cyber thieves perform reconnaissance, collecting personal information of company employees and then attempting to get those employees to take an action, have become far more personalized, technologically advanced and ultimately successful.

Enterprises and their employees should be aware of multiple social engineering techniques.

• Baiting is one in which an attacker offers an incentive to draw in a target and can be effective in convincing a person to download malicious software onto his or her computer.

• Pretexting is another in which an individual uses misrepresentation to gain access to privileged information. This technique has been increasingly successful as cyber thieves gain access to identifying information to personalize the attack.

• And, perhaps the most well-known type of social engineering is phishing, a technique in which an attacker attempts to obtain private information such as a social security number or authentication code. In phishing scams, a fraudulent email or other form of communication is often disguised as a legitimate engagement from a “trusted” source requesting information. Like with pretexting, phishing attempts tend to be most successful when the attempt is personalized.

• Spear-phishing, a derivative of phishing, is targeted at a specific person or role in an organization. Hackers leverage freely available information to craft an email likely to appeal to the target.

There are two crucial, complimentary actions companies should take in order to decrease the likeliness of successful social engineering. These are incorporating technology solutions that tackle social engineering head on and implementing a robust training program for employees to better understand these techniques. These two actions reduce the frequency of occurrence (by identifying and blocking attacks) and the likelihood of success of an attack when one evades your defenses.

How to Defend Against These Attacks

Today, one of the best ways to defend against social engineering is to beef up security through employee education. In combination with technology solutions, employee education can help build awareness to common social engineering techniques, such as phishing. According to the 2015 Data Breach Investigations Report by Verizon, nearly one in four employees will open a phishing email.

Rather than training employees based on theoretical ideas, companies should adopt a real-world training approach. Smart companies will incorporate security testing tailored to employee’s everyday business operations. These simulations ensure all products, applications and networks are sufficiently robust to cope with potential threats; allows them to see what an attack actually looks like; and how easily it can happen. Perhaps most importantly, it lets companies assess the security awareness of their staff, and the effectiveness of their security training.

Effective training can have a great impact on the effectiveness of phishing attacks. However, ultimately action is in the hands of the employees, which means there is never a 100% guarantee that a social engineering attack won’t be effective. To further mitigate these risks; however, companies should consider a risk assessment related to various forms of penetration including their email security solutions.

The benefits of a dedicated email security solution to bolster protection for this critical vulnerability point are extensive. In addition to combatting email-based malware attacks, an email security solution will allow firms to monitor for communications that could be indicative of phishing, baiting, pretexting and other known social engineering techniques.

When considering on premise based solutions versus cloud based solutions the most commonly cited pro-cloud factors are added cost efficiencies, real-time updates and greater flexibility businesses. However, a cloud based solution to email security can have a significant effect, far beyond the typical benefits the IT team has come to know. With this type of solution:

• Protection not just detection can be achieved: Stopping attempts at social engineering at the point of entry, IT teams are offering actual prevention.

• Isolation: Malware never enters a system: Reducing the frequency and likelihood of success of an attack is not a guarantee. By isolating the email system on a hosted network you can prevent social engineering attacks from ever hitting an end user’s machine and IT teams can ensure that links can’t be clicked and malware can’t be installed.

• More real-time security programs can be advanced: Considering one of a handful of email security vendors that offers URL re-writing at the time of a click-through, businesses can minimize security risks.

Bad actors and hackers will continue to identify innovative ways to attack enterprises. Therefore, a two-pronged methodology that incorporates employee education and a dedicated email security solution is needed. This limits the number of potentially malicious emails that make it to employees and prepares them to handle those that get through.

While there is no way to guarantee thieves won’t gain access to a company’s network, these techniques can make it far more difficult for criminals to launch a successful social engineering attack.

Bill Sweeney is the US financial services evangelist of BAE Systems Applied Intelligence and is entrusted with cultivating innovative technology solutions in cyber security, fraud prevention and regulatory compliance for buy- and sell-side professionals worldwide.
For more than 20 years, Bill has leveraged emerging and state-of-the-art software and services to empower and transform investment operations as well as control risks. He has served as CIO and CTO for a number of marquee-name banks, hedge funds and Wall Street firms. Prior to joining BAE Systems Applied Intelligence, Bill served as chief information officer of compliance and legal technology for Citi. From 2008 to 2012, he was director of research technology for hedge fund Bridgewater Associates. In addition to serving in senior roles for several technology boutiques, Bill also was CTO of HSBC. He is a graduate of Manhattan College and earned his master’s degree in computer science from the University of Southern California.